Security Posture

All security plans have a posture or philosophy about security. The posture determines the approach to security throughout the organization. The two most common postures are referred to as Default DENY and Default ALLOW.

In Default DENY, if something is not explicitly allowed, it is immediately denied. The default action for all security operations is to disallow access to a resource. Least privilege encompasses Default DENY. This is a more secure posture.

Default ALLOW is the opposite; it assumes that all things are allowed unless specifically denied. Systems are completely open except for specific instances where a resource is limited or closed off. End-users find Default ALLOW more convenient.

Some plans mix the two postures. A posture of Default DENY may be assumed for inbound network operations and Default ALLOW for outbound ones. File servers may be subject to Default ALLOW, whereas database servers are subject to Default DENY. In practice, this is what usually happens. A balance is then achieved between the ability for end-users to get to resources they need versus keeping hackers out.

Default DENY is still the better practice despite the limitations it places on end-users.